I don't see this as a wordpress related issue, but a bad standard (maybe, have no idea which one you refer to, maybe just a bad tool). wp_oembed_get is a library call for you and you can not control its output. assume it was written in C if it makes it easier for you.... it returns HTML that should not be escaped and there is nothing to do about it
– Mark KaplunOct 13 '16 at 4:11

So you are effectively saying that if you want to pass the WP coding standards then you cannot use wp_oembed_get? That would make things... difficult.
– TimsOct 13 '16 at 4:18

@DaveRomsey They are the exact two tools that I am using. Great for making sure everyone in a team works to the same standards, especially when you combine them with a git hook so that you cannot even commit unless your code passes.
– TimsOct 13 '16 at 5:37

As I said, wordpress for you is a library that you can not control. If your coding standards are not flexible enough then either they are not useful, or you should not use the library. oEmmbed as protocol return HTML so I am not sure how can you force it to be "escaped" even if you take wordpress out of the equation
– Mark KaplunOct 13 '16 at 6:07

1 Answer
1

Note that the WPCS standards for PHPCS are not "official". I am one of the maintainers, and all that we can do is to do our best to match the standards that WordPress suggests. In this case, I'm unsure how you would escape the output from wp_oembed_get(). The function may indeed need to be escaped as the returned value is passed through several filters, and may actually contain raw unvalidated HTML from the oEmbed provider.

If you trust the oEmbed provider, the filters, and your network connection, one option would be to just whitelist this line of code, like this:

However, if the URL is user supplied or something, and you don't think it is safe to trust the possible provider(s) in the context of your plugin, then you might want to take a look at the raw value being returned by wp_oembed_get() and see about crafting a whitelist of HTML elements and attributes to expect, to pass to wp_keses().

Note that obviously the WordPress core developers feel that the risk from oEmbed discovery isn't very great, and so users can paste links into posts and they will be auto-embedded. WPCS is simply super-paranoid about these things, and it is up to the developer to know when it might be OK to take its advice with a grain of salt. One of the most strict followers of the late-escaping policy is wp.com VIP. Looking at its developer documentation however reveals that it does seem to allow the use of wp_oembed_get(), though it suggests the use of its custom implementation, wpcom_vip_wp_oembed_get(), for added caching features.

So in the end, you probably shouldn't be too worried about escaping wp_oembed_get(). If you raise the issue on WPCS's GitHub repo, the function might even get added to the default whitelist.